I want to launch bitwarden and open the database with a master password on a text file. I can do this with keepassxc but cant figure out how to do,it in bitwarden or bw cli.
This doesn’t sound like anything that is possible to do in Bitwarden (unless you want to write a custom script using the CLI).
But it’s also not clear from your post what exactly you are trying to achieve. If you are referring to a so-called “key file”, then please note that Bitwarden has no plans to implement such a feature.
I have a laptop that is connected to a NAS device. Using KeyPassXC, when a browser is launched, a script runs that launches KeyPass and uses a password file on the NAS to authenticate to the database. If the laptop is stolen there is no access to the NAS so authentication fails.
I wouldlike to do this same thing with bitwarden.
I’m still confused about what you’re trying to do.
Is your Bitwarden account self-hosted using an on-premises server?
Bitwarden does have a login-with-device mechanism, but it is much more sophisticated and secure than just storing your master password in an accessible text file.
Bitwarden allows one logged in device (such as the Bitwarden app on your phone) to authorize your login request on another device (such as the Chrome extension on your laptop).
Crucially, though, during the process your phone prompts “Are you trying to login?”, to which you must click “confirm”. This “demonstration of user intent” is missing from the"text file on a NAS share" approach. The value user-intent brings is preventing a bad actor that has pwned your laptop from escalating their privileges right into your vault.
On Bitwarden CLI you can do it by assigning the master password to an environment variable like this:
export BWMP="$(cat /unsecured/file/with/master/password/on/my/nas)"
bw login --passwordenv BWMP my@email.address
I don’t think anything like this can be done with the desktop client.
However, as already been said in this thread, I would not store my master password in an unencrypted file on any of my devices (nas, desktop pc, laptop, or whatever).
If that device is compromised it’s game over for your vault.
My wife and I are senior citizens. We run xubuntu on our laptops and have Android tablets and phones. I run bitwarden on all my devices. I tried running bitwarden on my wife’s laptop but she is not good at remembering passwords so I took it off.
My primary security concern is to protect us from someone breaking into our home and stealing our laptops. Our network configuration includes a NAS device in the basement.
On her laptop, I currently use keypassxc. The password for the keypassxc database is on a text file on the NAS. When my wife launches firefox, a shell script opens the keypassxc database with a password, stored in a text file on the NAS, and then starts firefox.
I would like to again run bitwarden on my wife’s laptop. However, I do not want to run bitwarden with the vault timeout set to never. So ideally, I would like to have the shell script open the bitwarden vault with the master password from the NAS and then launch firefox.
How does your wife performing the login process? Is she using a fingerprint or is automatic login enabled?
My point is: If you encrypt the SSD of the notebook so that the encryption only happens when she logs in, a stolen notebook is much less scary.
The laptop does not support biometrics.
The home partition is encrypted with ecryptfs.
And how is this encryption unlocked? Does your wife use a password in absence of biometrics?
Sorry, off topic.
I am sorry if I misunderstood the topic. I was under the impression that your main concern here is the stealing of your notebooks containing the password manager and you would like to mitigate the risks.
Your initial proposal (unlocking via file) already describes a solution, but as explained this does not work with Bitwarden. So I tried to find a different solution. My initial idea was to use the Bitwarden app in “always unlocked” mode in combination with a fingerprint sensor to unlock the browser extension, but since the notebook lacks this feature, this will not work.
I’m (still) a bit confused. You seem to constantly log in and log out on your Bitwarden clients. A common usage is, to just lock and unlock Bitwarden. (–> Understand Log In vs. Unlock | Bitwarden)
If your laptop doesn’t have biometrics, then you could just use unlock with PIN. The PIN can be much easier/shorter than the master password.
Only a future possibility: BW is currently developing passkey login and unlock for the (Chromium-)browser extensions. With a physical security key, which would support biometrics (like the YubiKey Bio), you could even bring biometrics to your laptop that way.
Ahhh, unlock by pin looks very attractive. Will look at it andshe can test 
Edit: Yes, changing to a pinworked, she is OK with it.
2 Likes
If the browser (with Bitwarden browser extension) or the Bitwarden desktop app are restarted, then she (or you!) would still need to enter the master password. There is an option to disable this requirement, but enabling that option would make your vault data vulnerable if her laptop was stolen (which is a scenario in your threat model).
Unclear how the password in the text file is used to open the KeyPassXC database. If she is just copying it from the text file and pasting it into KeyPassXC, then why couldn’t she use the exact same method with Bitwarden? Just replace the KeyPassXC password with the Bitwarden master password in your text file.